Acceptable Use Policy

Last Updated: February 2026

This Acceptable Use Policy ("Policy") governs your use of Pamastay's healthcare claims analytics platform and related services ("Services"). This Policy is incorporated by reference into your service agreement with Pamastay, Inc. ("Pamastay," "we," "us," or "our"). By using our Services, you agree to comply with this Policy.

1. Purpose

This Policy is designed to:

• Protect the confidentiality, integrity, and availability of Protected Health Information (PHI) and other sensitive data
• Ensure compliance with HIPAA, HITECH, and other applicable healthcare regulations
• Maintain the security, performance, and reliability of the Pamastay platform
• Define customer responsibilities for data quality, authorization, and proper use
• Prevent fraud, waste, abuse, and misuse of the Services

2. Data Authorization and Rights

You represent, warrant, and agree that:

• You have obtained all necessary authorizations, consents, and legal rights to provide data to Pamastay for processing
• Your provision of data to Pamastay complies with all applicable federal, state, and local laws and regulations, including HIPAA, HITECH, state privacy laws, and applicable program requirements (e.g., CMS program requirements for ACOs)
• For data received from CMS, health plans, or other third parties, you have executed all required data use agreements and are authorized to share such data with Business Associates for permitted purposes
• You will not provide any data for which you lack appropriate legal authority, including data obtained through unauthorized access or breach
• You maintain and can demonstrate a valid legal basis under HIPAA and applicable law for each disclosure of PHI to Pamastay

3. Data Quality Requirements

You shall ensure that all data provided to Pamastay:

• Conforms to the file formats, schemas, and specifications provided by Pamastay or agreed upon during implementation
• Is accurate, complete, and current to the best of your knowledge
• Does not contain malicious code, viruses, malware, or other harmful components
• Is transmitted using secure, encrypted methods as specified by Pamastay (e.g., SFTP, secure API, TLS 1.2+)
• Has been validated prior to submission to minimize processing errors and data quality issues

You shall apply the HIPAA minimum necessary standard and provide only the PHI that is reasonably necessary for Pamastay to perform the contracted Services.

4. HIPAA Compliance

If you are a Covered Entity or Business Associate under HIPAA, you shall:

• Execute a Business Associate Agreement (BAA) with Pamastay prior to transmitting PHI
• Implement and maintain appropriate administrative, physical, and technical safeguards to protect PHI in your possession or control
• Ensure that all authorized users are trained on HIPAA requirements and your privacy and security policies
• Immediately notify Pamastay of any restrictions on use or disclosure of PHI that may affect Pamastay's ability to perform the Services
• Not request Pamastay to use or disclose PHI in any manner that would violate HIPAA
• Cooperate with Pamastay in investigating any security incident or breach affecting PHI

5. Prohibited Uses

You and your authorized users shall not:

5.1 Data Misuse

• Use the Services to process, store, or transmit PHI or other data for which you lack proper authorization or legal rights
• Upload data known to be inaccurate, falsified, or fabricated
• Use the Services to identify, re-identify, or contact individual patients for marketing, sales, or other purposes not authorized under HIPAA
• Disclose, share, or transmit analytics, reports, or outputs containing PHI to unauthorized recipients
• Export or download PHI for purposes unrelated to the contracted Services

5.2 System Misuse

• Attempt to gain unauthorized access to any portion of the Services, other accounts, computer systems, or networks
• Probe, scan, or test the vulnerability of the Services or breach security or authentication measures
• Interfere with or disrupt the Services or connected servers or networks
• Transmit viruses, worms, defects, or other harmful code
• Use any robot, spider, scraper, or automated means to access the Services without Pamastay's written permission
• Reverse engineer, decompile, disassemble, or attempt to derive the source code or algorithms of the Services

5.3 Legal and Regulatory Violations

• Use the Services in violation of any applicable law or regulation, including HIPAA, HITECH, the False Claims Act, Anti-Kickback Statute, or Stark Law
• Use the Services to facilitate healthcare fraud, billing fraud, upcoding, unbundling, or other fraudulent activities
• Use the Services to discriminate against any individual on the basis of any protected characteristic
• Use analytics or insights derived from the Services to engage in anti-competitive practices

5.4 Credential Violations

• Share login credentials, passwords, or access tokens with unauthorized individuals
• Fail to promptly revoke access for terminated employees or contractors
• Access or attempt to access data belonging to other Pamastay customers
• Use shared or generic accounts (each user must have unique credentials)

6. Access Controls and Security

You shall:

• Designate an administrator responsible for managing user accounts
• Ensure each authorized user has a unique login credential
• Review access permissions at least quarterly and promptly remove access for terminated or transferred personnel
• Enable multi-factor authentication (MFA) where provided
• Immediately notify Pamastay of any suspected unauthorized access or credential compromise

6.1 Export and Download Requirements

When exporting or downloading data from the Services, you shall:

• Limit exports to the minimum data necessary for the intended purpose
• Encrypt exported files containing PHI at rest and in transit
• Store exported PHI only on authorized, secure systems
• Dispose of exported data securely when no longer needed

7. Incident Notification

You shall notify Pamastay as soon as practicable, but no later than seventy-two (72) hours after discovering:

• Any unauthorized access to or use of your Pamastay account
• Any security incident involving data processed through the Services
• Compromise or suspected compromise of any user credentials
• Any malware or security threat affecting systems used to access the Services
• Any audit, investigation, or inquiry by a regulatory agency related to your use of the Services

You shall cooperate with Pamastay in investigating security incidents, including preserving evidence and assisting with remediation.

8. Monitoring

Pamastay reserves the right to monitor use of the Services for security, performance, and compliance purposes. Such monitoring may include logging of access activities, data transfers, and system interactions. Monitoring information may be used to investigate suspected violations of this Policy.

9. Enforcement

Suspension: Pamastay may immediately suspend access to the Services if we reasonably believe that you have violated this Policy, that continued access poses a security risk, or that suspension is necessary to comply with law or prevent harm. We will provide notice and the reason for suspension as soon as reasonably practicable.

Termination: Material or repeated violations of this Policy constitute a material breach of your service agreement, entitling Pamastay to terminate in accordance with the agreement's termination provisions. Upon termination, data will be returned or destroyed in accordance with the terms of your Agreement and applicable law.

10. Policy Updates

Pamastay may update this Policy from time to time to address security threats, regulatory changes, or operational needs. Updates will be posted to this page. Material changes will be communicated at least thirty (30) days before taking effect. Continued use of the Services after the effective date of any update constitutes acceptance of the updated Policy.

11. Contact Us

Questions regarding this Policy should be directed to:

Pamastay Inc.
Email: support@pamastay.com